Catch of the Day: Two-Step Phish
Examples of clever phish that made it past my anti-spam nets and into my inbox. Some are contributed by clients or readers like you, and other reliable sources on the Internet.
You can send phishing samples to me at phish@wyzguys.com.
My intention is to provide a warning and show current examples of phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your inbox. If the pictures are too small or extend off the page, double clicking the image will display them in a photo viewer app.
Happy Talk Like A Pirate Day
Phishing Attack Takes a Two-Step Approach to Leverage Legitimate Sites and Evade Detection
Analysis of a new phishing attack demonstrates how attackers may take a longer path to reach their malicious goals while staying “under the radar” of security products.
It would be simple to create a phishing attack that sends its victims a brand-impersonated email with a link to a fake webpage asking for credentials, personal details or credit card information.
But many of today’s security products will detect the impersonation immediately. So, if you’re a cybercriminal developing a cunning phishing scam, you need to find ways to avoid being detected – even if it means adding a few unnecessary steps.
And that’s exactly what we find in security vendor Perception Point’s latest analysis of a phishing attack that uses Microsoft Office Forms as an intermediate step in their phishing scam. According to the analysis, the phishing email impersonates a well-known brand (such as Microsoft 365 below) with the first step being the clicking of a link within the email that points to an Office form.
Blog post with example screenshots and links:
https://blog.knowbe4.com/phishing-attack-takes-a-two-step-approach-to-leverage-legitimate-sites-and-evade-detection
SEP
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com